

<!DOCTYPE html>
<html class="writer-html5" lang="en" data-content_root="../">
<head>
  <meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" />

  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  <title>Principles &mdash; IVRE  documentation</title>
      <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=80d5e7a1" />
      <link rel="stylesheet" type="text/css" href="../_static/css/theme.css?v=e59714d7" />
      <link rel="stylesheet" type="text/css" href="../_static/graphviz.css?v=4ae1632d" />

  
      <script src="../_static/jquery.js?v=5d32c60e"></script>
      <script src="../_static/_sphinx_javascript_frameworks_compat.js?v=2cd50e6c"></script>
      <script src="../_static/documentation_options.js?v=5929fcd5"></script>
      <script src="../_static/doctools.js?v=9bcbadda"></script>
      <script src="../_static/sphinx_highlight.js?v=dc90522c"></script>
    <script src="../_static/js/theme.js"></script>
    <link rel="index" title="Index" href="../genindex.html" />
    <link rel="search" title="Search" href="../search.html" />
    <link rel="next" title="Screenshots gallery" href="screenshots.html" />
    <link rel="prev" title="Overview" href="index.html" /> 
</head>

<body class="wy-body-for-nav"> 
  <div class="wy-grid-for-nav">
    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
      <div class="wy-side-scroll">
        <div class="wy-side-nav-search" >

          
          
          <a href="../index.html" class="icon icon-home">
            IVRE
              <img src="../_static/logo.png" class="logo" alt="Logo"/>
          </a>
<div role="search">
  <form id="rtd-search-form" class="wy-form" action="../search.html" method="get">
    <input type="text" name="q" placeholder="Search docs" aria-label="Search docs" />
    <input type="hidden" name="check_keywords" value="yes" />
    <input type="hidden" name="area" value="default" />
  </form>
</div>
        </div><div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu">
              <ul class="current">
<li class="toctree-l1 current"><a class="reference internal" href="index.html">Overview</a><ul class="current">
<li class="toctree-l2 current"><a class="current reference internal" href="#">Principles</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#purposes">Purposes</a></li>
<li class="toctree-l3"><a class="reference internal" href="#storing-data">Storing data</a></li>
<li class="toctree-l3"><a class="reference internal" href="#accessing-data">Accessing data</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="screenshots.html">Screenshots gallery</a></li>
<li class="toctree-l2"><a class="reference internal" href="faq.html">FAQ</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../install/index.html">Installation</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../usage/index.html">Usage</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../dev/index.html">Development</a></li>
</ul>
<p class="caption" role="heading"><span class="caption-text">Licenses:</span></p>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../license.html">IVRE: GPL v3</a></li>
<li class="toctree-l1"><a class="reference internal" href="../license-external.html">Licenses for external files</a></li>
</ul>

        </div>
      </div>
    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"><nav class="wy-nav-top" aria-label="Mobile navigation menu" >
          <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
          <a href="../index.html">IVRE</a>
      </nav>

      <div class="wy-nav-content">
        <div class="rst-content">
          <div role="navigation" aria-label="Page navigation">
  <ul class="wy-breadcrumbs">
      <li><a href="../index.html" class="icon icon-home" aria-label="Home"></a></li>
          <li class="breadcrumb-item"><a href="index.html">Overview</a></li>
      <li class="breadcrumb-item active">Principles</li>
      <li class="wy-breadcrumbs-aside">
            <a href="../_sources/overview/principles.rst.txt" rel="nofollow"> View page source</a>
      </li>
  </ul>
  <hr/>
</div>
          <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
           <div itemprop="articleBody">
             
  <section id="principles">
<h1>Principles<a class="headerlink" href="#principles" title="Link to this heading"></a></h1>
<p>IVRE is a network cartography (or network recon) framework.</p>
<section id="purposes">
<h2>Purposes<a class="headerlink" href="#purposes" title="Link to this heading"></a></h2>
<p>IVRE has five <strong>purposes</strong> (we use this word to refer to the different
types of data IVRE handles), which can be stored by one or more
<strong>backend</strong> databases:</p>
<ul>
<li><p><code class="docutils literal notranslate"><span class="pre">data</span></code>: associates IP ranges to Autonomous Systems (AS numbers and
names), and geographical information (country, region, city), based
on data from <a class="reference external" href="https://www.maxmind.com/en/geoip2-services-and-databases">Maxmind GeoIP</a>. It can
be queried using:</p>
<blockquote>
<div><ul class="simple">
<li><p>Python API: the <code class="docutils literal notranslate"><span class="pre">db.data</span></code> object from the <code class="docutils literal notranslate"><span class="pre">ivre.db</span></code> module.</p></li>
<li><p>Command line: the <code class="docutils literal notranslate"><span class="pre">ivre</span> <span class="pre">ipdata</span></code> tool.</p></li>
<li><p>Web (JSON) API: the <code class="docutils literal notranslate"><span class="pre">/cgi/ipdata/&lt;address&gt;</span></code> URL.</p></li>
</ul>
</div></blockquote>
</li>
<li><p><code class="docutils literal notranslate"><span class="pre">nmap</span></code> (sometimes also referred to as <code class="docutils literal notranslate"><span class="pre">scans</span></code>): contains <a class="reference external" href="http://nmap.org/">Nmap</a>, <a class="reference external" href="https://github.com/robertdavidgraham/masscan/">Masscan</a>, <a class="reference external" href="https://github.com/zhzyker/dismap/">Dismap</a>, <a class="reference external" href="https://github.com/zmap/zgrab2/">Zgrab2</a>, <a class="reference external" href="https://github.com/zmap/zdns">ZDNS</a>, <a class="reference external" href="https://github.com/projectdiscovery/nuclei">Nuclei</a>, <a class="reference external" href="https://github.com/projectdiscovery/httpx">httpx</a>, <a class="reference external" href="https://github.com/projectdiscovery/tlsx">tlsx</a> and <a class="reference external" href="https://github.com/projectdiscovery/dnsx">dnsx</a> scan results, as well
as <code class="docutils literal notranslate"><span class="pre">ivre</span> <span class="pre">auditdom</span></code> results. Each record represents one host seen
during one network scan. It can be queried using:</p>
<blockquote>
<div><ul class="simple">
<li><p>Python API: the <code class="docutils literal notranslate"><span class="pre">db.nmap</span></code> object from the <code class="docutils literal notranslate"><span class="pre">ivre.db</span></code> module.</p></li>
<li><p>Command line: the <code class="docutils literal notranslate"><span class="pre">ivre</span> <span class="pre">scancli</span></code> tool.</p></li>
<li><p>Web (JSON) API: the <code class="docutils literal notranslate"><span class="pre">/cgi/scans</span></code> and <code class="docutils literal notranslate"><span class="pre">/cgi/scans/*</span></code> URLs.</p></li>
</ul>
</div></blockquote>
</li>
<li><p><code class="docutils literal notranslate"><span class="pre">passive</span></code>: contains host intelligence captured from the network
using a <a class="reference external" href="https://www.zeek.org/">Zeek</a> dedicated module called
<code class="docutils literal notranslate"><span class="pre">passiverecon</span></code>, <a class="reference external" href="https://lcamtuf.coredump.cx/p0f3/">p0f</a> and
<a class="reference external" href="https://www.aircrack-ng.org/">airodump-ng</a> logs. Each record
represents one piece of information (<em>e.g.</em>, the HTTP <code class="docutils literal notranslate"><span class="pre">Server:</span></code>
header value <code class="docutils literal notranslate"><span class="pre">Apache</span></code> has been seen 10 times on port 80 of host
1.2.3.4). It can be queried using:</p>
<blockquote>
<div><ul class="simple">
<li><p>Python API: the <code class="docutils literal notranslate"><span class="pre">db.passive</span></code> object from the <code class="docutils literal notranslate"><span class="pre">ivre.db</span></code>
module.</p></li>
<li><p>Command line: the <code class="docutils literal notranslate"><span class="pre">ivre</span> <span class="pre">ipinfo</span></code> and <code class="docutils literal notranslate"><span class="pre">ivre</span> <span class="pre">iphost</span></code> tools. The
latter is dedicated to passive DNS queries.</p></li>
<li><p>Web (JSON) APIs: the <code class="docutils literal notranslate"><span class="pre">/cgi/passive</span></code> and <code class="docutils literal notranslate"><span class="pre">/cgi/passivedns</span></code>
URLs. The latter is dedicated to passive DNS and is compatible
with the <a class="reference external" href="https://datatracker.ietf.org/doc/draft-dulaunoy-dnsop-passive-dns-cof/">Common Output Format</a>
implemented for example in CIRCL’s <a class="reference external" href="https://github.com/CIRCL/PyPDNS">PyPDNS</a>.</p></li>
</ul>
</div></blockquote>
</li>
<li><p><code class="docutils literal notranslate"><span class="pre">view</span></code>: contains a consolidated view of hosts based on data from
<code class="docutils literal notranslate"><span class="pre">nmap</span></code> and <code class="docutils literal notranslate"><span class="pre">passive</span></code>. The structure of the records is similar to
<code class="docutils literal notranslate"><span class="pre">nmap</span></code>, but each record represents a host, seen during one or more
network scans and/or seen from network captures. It can be queried using:</p>
<blockquote>
<div><ul class="simple">
<li><p>Python API: the <code class="docutils literal notranslate"><span class="pre">db.view</span></code> object from the <code class="docutils literal notranslate"><span class="pre">ivre.db</span></code> module.</p></li>
<li><p>Command line: the <code class="docutils literal notranslate"><span class="pre">ivre</span> <span class="pre">view</span></code> tool.</p></li>
<li><p>Web (JSON) API: the <code class="docutils literal notranslate"><span class="pre">/cgi/view</span></code> and <code class="docutils literal notranslate"><span class="pre">/cgi/view/*</span></code> URLs.</p></li>
<li><p>Web UI: the <code class="docutils literal notranslate"><span class="pre">/</span></code> or <code class="docutils literal notranslate"><span class="pre">/index.html</span></code> Web page.</p></li>
</ul>
</div></blockquote>
</li>
<li><p><code class="docutils literal notranslate"><span class="pre">flow</span></code>: contains aggregated network flows, as seen by <a class="reference external" href="https://www.zeek.org/">Zeek</a>, <a class="reference external" href="http://qosient.com/argus/">Argus</a> or
Netflows (using <a class="reference external" href="http://nfdump.sourceforge.net/">Nfdump</a>). It can
be queried using:</p>
<blockquote>
<div><ul class="simple">
<li><p>Python API: the <code class="docutils literal notranslate"><span class="pre">db.flow</span></code> object from the <code class="docutils literal notranslate"><span class="pre">ivre.db</span></code> module.</p></li>
<li><p>Command line: the <code class="docutils literal notranslate"><span class="pre">ivre</span> <span class="pre">flowcli</span></code> tool.</p></li>
<li><p>Web (JSON) API: the <code class="docutils literal notranslate"><span class="pre">/flows</span></code> URL.</p></li>
<li><p>Web UI: the <code class="docutils literal notranslate"><span class="pre">/flow.html</span></code> Web page.</p></li>
</ul>
</div></blockquote>
</li>
</ul>
<p>The following (non-exhaustive) figure shows how the data gets from
your favorite open-source tools to IVRE’s databases.</p>
</section>
<section id="storing-data">
<h2>Storing data<a class="headerlink" href="#storing-data" title="Link to this heading"></a></h2>
<div class="graphviz"><img src="../_images/graphviz-2f6369a26823883990bcb83b9ac3555fffef6cc9.png" alt="digraph {
   graph [rankdir=LR];

   &quot;maxmind.com&quot;;
   &quot;Nmap&quot;;
   &quot;Masscan&quot;;
   &quot;ivre auditdom&quot;;
   &quot;Zgrab2&quot;;
   &quot;Zdns&quot;;
   &quot;Nuclei&quot;;
   &quot;httpx&quot;;
   &quot;tlsx&quot;;
   &quot;dnsx&quot;;
   &quot;Dismap&quot;;
   &quot;airodump-ng&quot;;
   &quot;p0f&quot;;
   &quot;Zeek&quot;;
   &quot;Zeek&quot;;
   &quot;Argus&quot;;
   &quot;Nfdump&quot;;

   XML [label=&quot;XML scan result&quot;];
   JSON [label=&quot;JSON scan result&quot;];
   CSV_LOG [label=&quot;airodump .csv files&quot;];
   P0F_LOG [label=&quot;p0f output files&quot;];
   PASS_LOG [label=&quot;passive_recon.log&quot;];
   FLOW_LOG [label=&quot;.log files&quot;];
   FLOWS [label=&quot;flow files&quot;];

   db_data [label=&quot;db.data&quot; shape=&quot;box&quot; style=&quot;filled&quot;];
   db_nmap [label=&quot;db.nmap&quot; shape=&quot;box&quot; style=&quot;filled&quot;];
   db_passive [label=&quot;db.passive&quot; shape=&quot;box&quot; style=&quot;filled&quot;];
   db_flow [label=&quot;db.flow&quot; shape=&quot;box&quot; style=&quot;filled&quot;];
   db_view [label=&quot;db.view&quot; shape=&quot;box&quot; style=&quot;filled&quot;];

   &quot;maxmind.com&quot; -&gt; db_data [label=&quot;ivre\nipdata&quot;];
   &quot;Nmap&quot; -&gt; XML [label=&quot;-oX&quot;];
   &quot;Masscan&quot; -&gt; XML [label=&quot;-oX&quot;];
   &quot;ivre auditdom&quot; -&gt; XML;
   &quot;ivre auditdom&quot; -&gt; JSON [label=&quot;--json&quot;];
   &quot;Zgrab2&quot; -&gt; JSON [label=&quot;-o&quot;];
   &quot;Zdns&quot; -&gt; JSON [label=&quot;-o&quot;];
   &quot;Nuclei&quot; -&gt; JSON [label=&quot;-json -o&quot;];
   &quot;httpx&quot; -&gt; JSON [label=&quot;-json -o&quot;];
   &quot;tlsx&quot; -&gt; JSON [label=&quot;-json -o&quot;];
   &quot;dnsx&quot; -&gt; JSON [label=&quot;-json -o&quot;];
   &quot;Dismap&quot; -&gt; JSON [label=&quot;-j&quot;];
   &quot;airodump-ng&quot; -&gt; CSV_LOG [label=&quot;-w&quot;];
   &quot;p0f&quot; -&gt; P0F_LOG [label=&quot;-o&quot;];
   &quot;Zeek&quot; -&gt; PASS_LOG [label=&quot;passiverecon&quot;];
   &quot;Zeek&quot; -&gt; FLOW_LOG;
   &quot;Argus&quot; -&gt; FLOWS;
   &quot;Nfdump&quot; -&gt; FLOWS;

   XML -&gt; db_nmap [label=&quot;ivre\nscan2db&quot;];
   JSON -&gt; db_nmap [label=&quot;ivre\nscan2db&quot;];
   CSV_LOG -&gt; db_passive [label=&quot;ivre\nairodump2db&quot;];
   P0F_LOG -&gt; db_passive [label=&quot;ivre\np0f2db&quot;];
   PASS_LOG -&gt; db_passive [label=&quot;ivre\npassiverecon2db&quot;];
   FLOW_LOG -&gt; db_flow [label=&quot;ivre\nzeek2db&quot;];
   FLOWS -&gt; db_flow [label=&quot;ivre\nflow2db&quot;];
   db_passive -&gt; db_view [label=&quot;ivre\ndb2view&quot;];
   db_nmap -&gt; db_view [label=&quot;ivre\ndb2view&quot;];

   {
     rank = same;
     edge[style=invis];
     &quot;maxmind.com&quot; -&gt; &quot;Nmap&quot; -&gt; &quot;Masscan&quot; -&gt; &quot;ivre auditdom&quot; -&gt; &quot;Zgrab2&quot; -&gt; &quot;Zdns&quot; -&gt; &quot;Nuclei&quot; -&gt; &quot;httpx&quot; -&gt; &quot;tlsx&quot; -&gt; &quot;dnsx&quot; -&gt; &quot;Dismap&quot; -&gt; &quot;airodump-ng&quot; -&gt; &quot;p0f&quot; -&gt; &quot;Zeek&quot; -&gt; &quot;Zeek&quot; -&gt; &quot;Argus&quot; -&gt; &quot;Nfdump&quot;;
     rankdir = UD;
   }
}" class="graphviz" /></div>
</section>
<section id="accessing-data">
<h2>Accessing data<a class="headerlink" href="#accessing-data" title="Link to this heading"></a></h2>
<p>The following (also non-exhaustive) figures show how the data gets
from IVRE’s databases back into your hands.</p>
<div class="graphviz"><img src="../_images/graphviz-f3a9d1551609259fb7dbeca90e2770cd757af72a.png" alt="digraph {
    db_data [label=&quot;db.data&quot; shape=&quot;box&quot; style=&quot;filled&quot;];
    db_flow [label=&quot;db.flow&quot; shape=&quot;box&quot; style=&quot;filled&quot;];
    db_nmap [label=&quot;db.nmap&quot; shape=&quot;box&quot; style=&quot;filled&quot;];
    web_api_data [label=&quot;Web API\n/ipdata&quot;];
    web_api_flows [label=&quot;Web API\n/flows&quot;];
    web_api_scans [label=&quot;Web API\n/scans&quot;];
    web_ui_flow [label=&quot;Web UI\n/flow.html&quot;];
    cli_ipdata [label=&quot;CLI\nipdata&quot;];
    cli_flow [label=&quot;CLI\nflowcli&quot;];
    cli_scancli [label=&quot;CLI\nscancli&quot;];
    db_data -&gt; web_api_data;
    db_flow -&gt; web_api_flows;
    db_flow -&gt; cli_flow;
    db_nmap -&gt; web_api_scans;
    web_api_flows -&gt; web_ui_flow;
    db_data -&gt; cli_ipdata;
    db_nmap -&gt; cli_scancli;
}" class="graphviz" /></div>
<div class="graphviz"><img src="../_images/graphviz-895f16ae20541f9b2ee5370c2ec2d9ff25b1a4d9.png" alt="digraph {
    db_passive [label=&quot;db.passive&quot; shape=&quot;box&quot; style=&quot;filled&quot;];
    db_view [label=&quot;db.view&quot; shape=&quot;box&quot; style=&quot;filled&quot;];
    web_api_passive [label=&quot;Web API\n/passive&quot;];
    web_api_passivedns [label=&quot;Web API\n/passivedns&quot;];
    web_api_view [label=&quot;Web API\n/view&quot;];
    web_ui_view [label=&quot;Web UI /&quot;];
    cli_ipinfo [label=&quot;CLI\nipinfo&quot;];
    cli_iphost [label=&quot;CLI\niphost&quot;];
    cli_view [label=&quot;CLI\nview&quot;];
    db_view -&gt; web_api_view;
    web_api_view -&gt; web_ui_view;
    db_view -&gt; cli_view;
    db_passive -&gt; web_api_passive;
    db_passive -&gt; web_api_passivedns;
    db_passive -&gt; cli_ipinfo;
    db_passive -&gt; cli_iphost;
}" class="graphviz" /></div>
</section>
</section>


           </div>
          </div>
          <footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
        <a href="index.html" class="btn btn-neutral float-left" title="Overview" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
        <a href="screenshots.html" class="btn btn-neutral float-right" title="Screenshots gallery" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
    </div>

  <hr/>

  <div role="contentinfo">
    <p>&#169; Copyright 2011 - 2025, Pierre LALET.</p>
  </div>

  Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a
    <a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a>
    provided by <a href="https://readthedocs.org">Read the Docs</a>.
   

</footer>
        </div>
      </div>
    </section>
  </div>
  <script>
      jQuery(function () {
          SphinxRtdTheme.Navigation.enable(true);
      });
  </script> 

</body>
</html>